Google pulls SMS trojans from Market
By Stewart Mitchell
Posted on 13 Dec 2011 at 08:58
Google has been forced to remove a series of premium rate apps from its Android Market after user complaints.
According to security experts, Google has taken the apps offline, but not before they were downloaded by unsuspecting users, with the apps reportedly sending premium rate texts.
Posing as free-versions of popular games - including Cut the Rope, Need for Speed and World of Goo - the SMS dialler was published under accounts named Logastrod and Miriada Production.
Both Market accounts have since been closed, but according to security experts the apps mark a new stage in Android malware because of the global reach of the operation.
“In the past, all of the premium rate SMS trojans that we've actively encountered have targeted Russia,” said security company F-Secure in a blog. "These trojans are targeting 18 countries.”
The UK, France, Germany, and Poland were among the countries targeted.
The premium rate issue comes at a bad time for Google's Android, which has been criticised by the security industry over what it considers lax oversight of the Android Market.
While Apple uses a strict vetting process, Google relies on takedown requests if apps are reported after publication.
The revelation comes at a particularly embarrassing time for Google after senior open source employee Chris DiBona blasted mobile security companies as "charlatans and scammers" for selling antivirus protection he claimed was unnecessary.
We are waiting to hear back from Google regarding the takedown.
I hope Google introduces even basic screening for apps because clearly displaying permissions alone aren't good enough.
BTW, I'm not saying they should clamp down like Apple, just screen apps for malicious things.
By tech3475 on 13 Dec 2011
Would the rogue apps have to ask for permissions to send sms on installation? I'm guitly of not checking but perhaps potentially risky permissions should be highlighted better?
By NR5674 on 13 Dec 2011
I read the permissions before installing apps. but would like to see an ability to block apps from doing certain things once installed. An execution control list per app? Also would it be too hard for the Android OS to ask the user for permission to complete an action that may cost. (with a tick box for never asking again of course)
By selwe11 on 13 Dec 2011
It lists the permissions, but if the person hasn't noticed that the copy of Angry Birds he is currently downloading doesn't come from Rovio (and doesn't have several million downloads), then he probably isn't going to pay much attention to the permissions either - if he even understands them.
For instance, a lot of games "need" geolocation information. No they flaiming well don't! That should be an option, which as selwe11 says, the user should be able to select, whether that permission is enabled or not for the app.
As to Chris, the biggest problem was, the last time the Android anti virus solutions were independently tested all of them found between 0% and 2% of malware samples they were given!
A solution to a problem that doesn't exist? Not exactly, but a completely ineffectual solution. To be honest, I'd rather use no security software, at the moment, and be aware that I have to be careful.
Android security software is like trying to have safe sex using a condom made of tissue paper!
By big_D on 13 Dec 2011
I'd like it to work like a firewall, you receive a notification when the app is trying to do something like make a call or send a msg and costs could be associated etc.
By Deano on 13 Dec 2011
I probably don't know enough about this issue as i've only owned a mobile phone for the last 6 months (HTC Wildfire), but that said, one thing that has struck me and confuses the hell out of me as a long time PC user is how in hell is anyone supposed to tell the difference between a "safe" app and a "malicious" app when, as far as i can tell, 'all' apps have a 'permission' requirement that in one way or another that i would never allow on my pc.
i.e. Either you accept that 'apps' have 'permissions' you wouldn't otherwise accept on another device, or you have no 'apps' at all.
By pentlands on 13 Dec 2011
Apologies for the poor structure of my post.
Note to self: Compose in Notepad, then cut & paste into PC Pro's tiny little comment box the next time.
By pentlands on 13 Dec 2011
The only real way is to research, unfortunately.
If you are downloading "Evernote", ensure it comes from Evernote Corp.
If you are downloading "Angry Birds", make sure it comes from Rovio etc.
If you aren't sure who makes the app, do some background research or go by the reviews, if the apps has thousands of good ratings, it is probably a good app...
It is a pain and a real problem with the Android eco-system, but there isn't currently a way to avoid knowing what you are doing, when downloading.
By big_D on 14 Dec 2011
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords